LoginTC Product Security Advisory

Advisory ID: LTC-PSA-2021-001
Publication Date: 2021-03-12
Status: Confirmed, Fixed
Document Revision: 1

Overview

Cyphercor has identified an issue in which it is possible to launch dialogs with deployments that use the LoginTC Windows Logon and RDP Connector (version 1.0.3 and below).

Description

Once a user a has entered valid first factor authentication credentials (username and password) the LoginTC Windows Logon and RDP Connector displays a window for completing a second factor authentication challenge. Through a combination of mouse and keyboard actions it is possible to launch Windows dialogs (Find Dialog, Open Dialog, Browser Dialog, Print Dialog) and subsequently run program in certain cases.

Impact

A user with valid first factor authentication credentials (username and password) may be able to launch dialogs (Find Dialog, Open Dialog, Browser Dialog, Print Dialog) prior to performing second factor authentication.

Affected Product(s)

  • LoginTC Windows Logon and RDP Connector 1.0.3 and below

Solution

Install the LoginTC Windows Logon and RDP Connector version 1.1.0 or later on the Windows host. The latest release can be downloaded from LoginTC Windows Logon and RDP Connector. See LoginTC Windows Logon and RDP Connector Upgrade for upgrade instructions.

Vulnerability Metrics

Vulnerability Class: CWE-284: Improper Access Control
Remotely Exploitable: Yes
Authentication Required: Yes/Partial (first factor required; second factor bypassed)
Severity: High
CVSSv2 Overall Score: 7.3
CVSSv2 Group Scores: Base: 6.8, Temporal: 5.6, Environmental: 7.3
CVSSv2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:ND/CDP:MH/TD:H/CR:H/IR:L/AR:H

References

Timeline

2021-03-11

  • Cyphercor discovers issue internally, identifies and implements fix

2021-03-12

  • Fix is tested and released
  • Advisory is drafted, shared with potentially affected LoginTC Business and Enterprise customers
  • Cyphercor performs additional testing

Contact

Feedback regarding this issue should be sent to support@cyphercor.com and contain “LTC-PSA-2021-001” in the subject.

Start your free trial today. No credit card required.

Sign up and Go

By continuing to use our website, you acknowledge the use of cookies. Privacy Policy Close